Sign up for our weekly security newsletter

New Phishing Technique Exploits Browser Bug

Researchers at Trusteer, a security company, has warned of a new "in-session phishing" attack that could become active by exploiting a loophole discovered in all dominant browsers. This loophole could allow cyber criminals to capture users' Internet banking credentials.

According to the news report, the sophisticated phishing attack could be launched to insert bogus information queries into the popular browsers as well as many famous Internet applications like electronic brokerage and banking systems. Basically, the malicious attack technique deceives users' into giving away their information after they logged into different websites.

Evidently, this new phishing method enables scammers to make fresh victims.

A conventional phishing attack includes criminals sending a huge number of fake e-mails that pose to arrive from established organizations or institutions like online payment firms or banks. Often anti-spam software filters and blocks these phony e-mails. But in the case of 'in-session phishing', the fraudulent e-mails are taken out and replaced with a pop-up window of the browser.

The new technique involves compromise of a legitimate website by scammers and injecting HTML code that appears as the pop-up window giving a security alert. This pop-up would ask the user to feed in his password and other log-in details, and probably answer the security questions that banks use to confirm their customers' identity.

However, the difficult part of the attackers' job is to make the victims believe that the pop-up alert is genuine. According to Amit Klein, Chief Technology Officer, Trusteer, a loophole in the JavaScript engines of popular browsers provides the solution to this problem, as reported by PCWorld on January 12, 2009.

Klein explained that by examining the method of browsers using JavaScript, he has discovered a technique to determine whether a user is accessing a website or not, provided user should use a particular JavaScript utility. While Klein would not disclose that utility for fear of letting the criminals know about it leading to possible launch of attacks, he has informed browser manufacturers and anticipates that a patch would eventually emerge for the loophole.

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!